Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 32ffc92..8f4db87 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -498,6 +498,7 @@
(typeattributeset proc_modules_26_0 (proc_modules))
(typeattributeset proc_net_26_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index f6b4583..a329389 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1213,6 +1213,7 @@
(typeattributeset proc_modules_27_0 (proc_modules))
(typeattributeset proc_net_27_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
(typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 053b254..eca489c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,8 @@
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 96259e2..943f979 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -9,4 +9,4 @@
net_domain(mdnsd)
# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ea58814..fc01999 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -6,7 +6,7 @@
allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
allow netutils_wrapper self:global_capability_class_set net_admin;
diff --git a/private/platform_app.te b/private/platform_app.te
index 31c5741..eec503a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,13 @@
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index d81f8d5..3355502 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -88,6 +88,28 @@
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+ auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)
diff --git a/private/storaged.te b/private/storaged.te
index 7fe6286..ff5390a 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,10 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+ auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
r_dir_file(storaged, domain)
# Read /proc/uid_io/stats
diff --git a/private/system_app.te b/private/system_app.te
index efb768b..7a7411f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -110,6 +110,13 @@
user_changed
};
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 8e07d3f..72d408a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -730,7 +730,7 @@
allow system_server ion_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_loadavg
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index ba2c1e1..09207e2 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -40,3 +40,9 @@
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c7762..22a9343 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,3 +26,9 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fbf5989..b2c4f40 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -138,3 +138,15 @@
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+ auditallow untrusted_app_all {
+ proc_net_type
+ -proc_net_vpn
+ }:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/zygote.te b/private/zygote.te
index 4f26bd0..2810976 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -93,7 +93,10 @@
allow zygote zygote_exec:file rx_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+ auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Root fs.
r_dir_file(zygote, rootfs)