From 9d28625fc4230b2bf466b0f8e3cde8c6b61eb416 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 4 Apr 2018 12:59:11 -0700
Subject: [PATCH] shell: move shell qtaguid perms to shell.te

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92
---
 public/app.te   | 5 +----
 public/shell.te | 1 +
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/public/app.te b/public/app.te
index 0a9e12825..4bdd8bf88 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,6 +174,7 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow {
     untrusted_app_25
@@ -182,9 +183,7 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
 r_dir_file({
@@ -194,7 +193,6 @@ r_dir_file({
     priv_app
     system_app
     platform_app
-    shell
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -205,7 +203,6 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
diff --git a/public/shell.te b/public/shell.te
index 5e2745be4..c5033ecfc 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -121,6 +121,7 @@ allow shell {
   proc_meminfo
   proc_modules
   proc_pid_max
+  proc_qtaguid_stat
   proc_stat
   proc_timer
   proc_uptime
-- 
GitLab