Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457

Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298

This reverts commit db83323a.

Reason for revert: breaks some builds due to duplicate genfs entries

Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a

This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

(cherry picked from commit a8b3634d)

This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
(cherry picked from commit 5f650f581a2699bb2d5aaaa4675d651eb47c1c16)

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413)

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a

This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15

Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

This reverts commit 640e595a. The
corresponding code in libcutils was removed, so this is now unneeded.

Bug: 71632076
Test: aosp_sailfish still works

Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4

Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0

This reverts commit 84f96859.

Fixes: 70874565
Reason for revert: massive logspam during phone calls.

Change-Id: If00e46535f71209eea999e4d5d499bf40a5f16fd

Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.

Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r--  1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats

Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
    No "denied" or "granted" selinux messages observed in the logs.

Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef

Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06

We already expect contents of /sys/class/net to be labeled as sysfs_net.
Also label the directory for consistensy since we usually label
/sys/class/foo directories as sysfs_foo.

Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: I9d28ab4baf71df99ae966276532f14684d1abca6

Label /sys/kernel/notes.

Bug: 70275668
Test: m
Change-Id: Ieb666425d2db13f85225fb902fe06b0bf2335bef

Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 70040773
Bug: 65643247
Change-Id: I68e2e796f5599c9d281897759c8d8eef9363559a
Test: walleye boots with no denials from init to sysfs.

This reverts commit c2241a8d.

Reason for revert: build breakage b/70040773

Change-Id: I6af098ae20c4771a1070800d02c98e5783999a39

Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 65643247
Test: walleye boots with no denials from init to sysfs.

Change-Id: Ibc9a54a5f43f3d53ab7cbb0fdb9589959b31ebde

/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>

And give shell domain read access to /proc/sys/kernel/pic_max.

Bug: 69569397
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=pthread.pthread_mutex_owner_tid_limit
Change-Id: Ib56c18ed553ad2c2113e6913788a4c00965483cc

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)