From d78e07cbb717ddd1e87c415cfb0163b504adcf35 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 10 Sep 2018 12:32:31 -0700
Subject: [PATCH] Remove untrusted app access to /proc/net

This change is for testing potential app-compat issues when removing
access to file in /proc/net. See: b/114475727#comment11.

Bug: 114475727
Test: build/boot taimen.
Test: atest CtsLibcoreOjTestCases
Test: FileSystemPermissionTest
Test: ListeningPortsTest b/114772424
Change-Id: I1db1c2b41308e47c9ec9db57ea8597a650c8906d
(cherry picked from commit 6784f80bad2db8a33c7faad60fc489069da8a9b4)
---
 private/untrusted_app_all.te | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 11cea6ea2..32eec26df 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,18 +135,6 @@ dontaudit untrusted_app_all proc_uptime:file read;
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app_all)
 
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
-# limited through a mechanism other than SELinux.
-r_dir_file(untrusted_app_all, proc_net_type)
-userdebug_or_eng(`
-  auditallow untrusted_app_all {
-    proc_net_type
-    -proc_net_vpn
-  }:{ dir file lnk_file } { getattr open read };
-')
-
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-- 
GitLab