Create proc_net type for /proc/sys/net entries.

/proc/sys/net could use its own type to help distinguish among some of the proc access rules. Fix dhcp and netd because of this. Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Create proc_net type for /proc/sys/net entries.
/proc/sys/net could use its own type to help distinguish among some of the proc access rules. Fix dhcp and netd because of this. Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
529fcbe0 · Robert Craig · 11c48d4c · 529fcbe0 · 529fcbe0 · 529fcbe0
Commit 529fcbe0 authored 11 years ago by Robert Craig
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,8 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;

--- a/domain.te
+++ b/domain.te
@@ -106,6 +106,7 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
 # debugfs access
 allow domain debugfs:dir r_dir_perms;

--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@ type proc_security, fs_type;
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0

--- a/netd.te
+++ b/netd.te
@@ -16,8 +16,7 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 # For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
+allow netd proc_net:file write;
-allow netd proc:file write;
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.