Merge "Start the process of locking down proc/net"

d15d5a4e · TreeHugger Robot · Android (Google) Code Review · 8e15da53 · 08731895 · d15d5a4e
Commit d15d5a4e authored 6 years ago by TreeHugger Robot Committed by Android (Google) Code Review 6 years ago
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@ type proc_meminfo, fs_type, proc_type;
 type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;

--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -39,7 +39,7 @@ allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perm
 # Access to wake locks
 wakelock_use(hal_telephony_server)
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
 r_dir_file(hal_telephony_server, sysfs_type)
 r_dir_file(hal_telephony_server, system_file)

--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@ binder_call(hal_wifi_server, hal_wifi_client)
 add_hwservice(hal_wifi_server, hal_wifi_hwservice)
 allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
 set_prop(hal_wifi, exported_wifi_prop)

--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -10,7 +10,7 @@ allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_r
 allow hal_wifi_hostapd_server sysfs_net:dir search;
 # Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
 # Various socket permissions.
 allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;

--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@ binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
 add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
 allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
 r_dir_file(hal_wifi_offload, sysfs_type)
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@ allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };

--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,7 @@ allow init kernel:system syslog_mod;
 allow init self:global_capability2_class_set syslog;
 # init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
 allow init {
  proc_cmdline
@@ -293,7 +293,7 @@ allow init {
  proc_hostname
  proc_hung_task
  proc_extra_free_kbytes
-  proc_net
+  proc_net_type
  proc_max_map_count
  proc_min_free_order_shift
  proc_overcommit_memory

--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@ type logd_exec, exec_type, file_type;
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+  auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
 allow logd self:global_capability2_class_set syslog;

--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@ allow netd proc_qtaguid_ctrl:file rw_file_perms;
 # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
 allow netd qtaguid_device:chr_file r_file_perms;
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
 # Enables PppController and interface enumeration (among others)
 allow netd sysfs:dir r_dir_perms;

--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@ type ppp_exec, exec_type, file_type;
 net_domain(ppp)
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
 allow ppp mtp:socket rw_socket_perms;

--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@ allow preopt2cachename cppreopts:fd use;
 allow preopt2cachename cppreopts:fifo_file { getattr read write };
 # Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+  auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
--- a/public/shell.te
+++ b/public/shell.te
@@ -115,7 +115,7 @@ hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
 allow shell {
  proc_asound

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -123,8 +123,8 @@ allow vendor_init {
 allow vendor_init dev_type:blk_file getattr;
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
+r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net:file w_file_perms;
+allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;
 # Write to /proc/sys/vm/page-cluster

--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@ allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 # Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+  auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.

--- a/public/wificond.te
+++ b/public/wificond.te
@@ -21,7 +21,7 @@ allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
 allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
 # allow wificond to check permission for dumping logs
 allow wificond permission_service:service_manager find;