From e45cad770c6ffcc46ca834320d7892d744d0693b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 24 Jul 2015 13:25:45 -0700
Subject: [PATCH] Do not allow apps to access network address file

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049
---
 file.te          | 1 +
 system_server.te | 1 +
 untrusted_app.te | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/file.te b/file.te
index 623bb8df3..d3b09796e 100644
--- a/file.te
+++ b/file.te
@@ -21,6 +21,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
diff --git a/system_server.te b/system_server.te
index 2a1664210..4b16d46d5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -146,6 +146,7 @@ selinux_check_access(system_server)
 allow system_server sysfs:file rw_file_perms;
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
 
 # Access devices.
 allow system_server device:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 72d0a1bbf..bcadc5209 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -142,3 +142,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-- 
GitLab