Merge "Improve neverallows on /proc and /sys"
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 5918f63..5d0461d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -124,3 +124,12 @@
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
diff --git a/public/domain.te b/public/domain.te
index ed567ae..0027efa 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,3 +1333,12 @@
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
diff --git a/public/te_macros b/public/te_macros
index 0e8dcf4..2cb1975 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -566,6 +566,7 @@
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
+ binder_call(keystore, $1)
')
###########################################