Skip to content
Snippets Groups Projects
Commit 99940d1a authored by Nick Kralevich's avatar Nick Kralevich
Browse files

remove /proc/net read access from domain.te

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
parent 4a89cdfa
No related branches found
No related tags found
No related merge requests found
......@@ -83,6 +83,7 @@ allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdow
allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain proc_net:dir search;
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
......
......@@ -15,6 +15,7 @@ allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
r_dir_file(clatd, proc_net)
allow clatd self:capability { net_admin net_raw setuid setgid };
allow clatd self:netlink_route_socket nlmsg_write;
......
......@@ -12,7 +12,8 @@ allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
allow dhcp proc_net:file rw_file_perms;
allow dhcp proc_net:dir r_dir_perms;
allow dhcp dhcp_prop:property_service set;
allow dhcp pan_result_prop:property_service set;
unix_socket_connect(dhcp, property, init)
......
......@@ -145,7 +145,6 @@ r_dir_file(domain, sysfs)
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
r_dir_file(domain, proc_net)
allow domain proc_cpuinfo:file r_file_perms;
# debugfs access
......
......@@ -60,6 +60,7 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
allow dumpstate sysfs:file w_file_perms;
# Other random bits of data we want to collect
allow dumpstate proc_net:dir search;
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
......
......@@ -123,7 +123,8 @@ allow init proc_security:file rw_file_perms;
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
allow init proc_net:file w_file_perms;
allow init proc_net:file rw_file_perms;
allow init proc_net:dir r_dir_perms;
allow init self:capability net_admin;
# Write to /proc/sysrq-trigger.
......
......@@ -61,6 +61,7 @@ allow mediaserver audio_data_file:dir ra_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver proc_net:dir search;
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
......
......@@ -23,7 +23,8 @@ allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file write;
allow netd proc_net:file rw_file_perms;
allow netd proc_net:dir r_dir_perms;
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
......
......@@ -17,6 +17,7 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
r_dir_file(radio, proc_net)
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
......
......@@ -91,6 +91,7 @@ allow system_server appdomain:file write;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
r_dir_file(system_server, proc_net)
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment