Merge "Start the process of locking down proc/net"

private/compat/26.0/26.0.cil

@@ -499,6 +499,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))

private/compat/27.0/27.0.cil

@@ -1213,6 +1213,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))

private/genfs_contexts

@@ -17,6 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

private/mdnsd.te

@@ -9,4 +9,4 @@ init_daemon_domain(mdnsd)
 net_domain(mdnsd)
 
 # Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)

private/netutils_wrapper.te

@@ -6,7 +6,7 @@ r_dir_file(netutils_wrapper, system_file);
 allow netutils_wrapper self:global_capability_class_set net_raw;
 
 allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
 allow netutils_wrapper self:global_capability_class_set net_admin;

private/platform_app.te

@@ -45,6 +45,13 @@ allow platform_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;

private/priv_app.te

@@ -85,6 +85,28 @@ allow priv_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+  auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
 allow priv_app sysfs_type:dir search;
 # Read access to /sys/class/net/wlan*/address
 r_dir_file(priv_app, sysfs_net)

private/storaged.te

@@ -5,7 +5,10 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 r_dir_file(storaged, domain)
 
 # Read /proc/uid_io/stats

private/system_app.te

@@ -107,6 +107,13 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

private/system_server.te

@@ -726,7 +726,7 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_loadavg

private/untrusted_app_25.te

@@ -40,3 +40,9 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;

private/untrusted_app_27.te

@@ -26,3 +26,9 @@ app_domain(untrusted_app_27)
 untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;

private/untrusted_app_all.te

@@ -138,3 +138,15 @@ dontaudit untrusted_app_all net_dns_prop:file read;
 dontaudit untrusted_app_all proc_stat:file read;
 dontaudit untrusted_app_all proc_vmstat:file read;
 dontaudit untrusted_app_all proc_uptime:file read;
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+  auditallow untrusted_app_all {
+    proc_net_type
+    -proc_net_vpn
+  }:{ dir file lnk_file } { getattr open read };
+')

private/zygote.te

@@ -93,7 +93,10 @@ allow zygote storage_file:dir { search mounton };
 allow zygote zygote_exec:file rx_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Root fs.
 r_dir_file(zygote, rootfs)

public/app.te

@@ -174,30 +174,33 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
 r_dir_file({
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} qtaguid_device:chr_file r_file_perms;
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -platform_app
+  -priv_app
+  -shell
+  -system_app
+  -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+  auditallow {
+    appdomain
+    -ephemeral_app
+    -isolated_app
+    -platform_app
+    -priv_app
+    -shell
+    -system_app
+    -untrusted_app_all
+  } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.

public/attributes

@@ -39,6 +39,13 @@ attribute vendor_file_type;
 # All types used for procfs files.
 attribute proc_type;
 
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
 # All types used for sysfs files.
 attribute sysfs_type;
 

public/clatd.te

@@ -4,7 +4,10 @@ type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
 
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Access objects inherited from netd.
 allow clatd netd:fd use;

public/dhcp.te

@@ -15,7 +15,7 @@ not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 allow dhcp toolbox_exec:file rx_file_perms;
 
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
 
 set_prop(dhcp, dhcp_prop)
 set_prop(dhcp, pan_result_prop)

public/domain.te

@@ -23,7 +23,7 @@ allow domain self:process {
 };
 allow domain self:fd use;
 allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };

public/dumpstate.te

@@ -161,7 +161,7 @@ allow dumpstate {
   proc_cmdline
   proc_meminfo
   proc_modules
-  proc_net
+  proc_net_type
   proc_pipe_conf
   proc_pagetypeinfo
   proc_qtaguid_ctrl