Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
diff --git a/public/app.te b/public/app.te
index 52b4680..0c5008d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -178,30 +178,33 @@
allow appdomain heapdump_data_file:file append;
')
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
r_dir_file({
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} qtaguid_device:chr_file r_file_perms;
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
diff --git a/public/attributes b/public/attributes
index 75679c7..0d19120 100644
--- a/public/attributes
+++ b/public/attributes
@@ -40,6 +40,13 @@
attribute proc_type;
expandattribute proc_type false;
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
# All types used for sysfs files.
attribute sysfs_type;
diff --git a/public/clatd.te b/public/clatd.te
index ee44abf..53d6582 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -4,7 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Access objects inherited from netd.
allow clatd netd:fd use;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1f1ef2b..6ed9832 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -15,7 +15,7 @@
allow dhcp toolbox_exec:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
diff --git a/public/domain.te b/public/domain.te
index 43890e4..7e41e96 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -23,7 +23,7 @@
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2857cae..62762d3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -161,7 +161,7 @@
proc_cmdline
proc_meminfo
proc_modules
- proc_net
+ proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
diff --git a/public/file.te b/public/file.te
index 73ba5fe..47beab6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 5f8cc41..21b6e02 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -38,7 +38,7 @@
# Access to wake locks
wakelock_use(hal_telephony_server)
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
r_dir_file(hal_telephony_server, sysfs_type)
r_dir_file(hal_telephony_server, system_file)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 7cea7c7..8f5b77b 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_server, hal_wifi_hwservice)
allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
set_prop(hal_wifi, exported_wifi_prop)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 03a5546..73bf037 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -10,7 +10,7 @@
allow hal_wifi_hostapd_server sysfs_net:dir search;
# Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dc0cf5a..f74ed05 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@
add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d32..3d61766 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
diff --git a/public/init.te b/public/init.te
index bcff07f..51a991b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -278,7 +278,7 @@
allow init self:global_capability2_class_set syslog;
# init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
allow init {
proc_cmdline
@@ -296,7 +296,7 @@
proc_hostname
proc_hung_task
proc_extra_free_kbytes
- proc_net
+ proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory
diff --git a/public/logd.te b/public/logd.te
index 817a705..23318b0 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+ auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
diff --git a/public/netd.te b/public/netd.te
index 7262072..faf7cac 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 9340dee..8d79477 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@
net_domain(ppp)
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
allow ppp mtp:socket rw_socket_perms;
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 49df647..514100f 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@
allow preopt2cachename cppreopts:fifo_file { getattr read write };
# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/public/shell.te b/public/shell.te
index 887e508..2be6da6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -118,7 +118,7 @@
allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
diff --git a/public/vendor_init.te b/public/vendor_init.te
index d079873..ad69437 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,8 +129,8 @@
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
-allow vendor_init proc_net:file w_file_perms;
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
diff --git a/public/vold.te b/public/vold.te
index 0b0c766..6817482 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+ auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
diff --git a/public/wificond.te b/public/wificond.te
index 96668f3..fd2ed4f 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -21,7 +21,7 @@
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
# wificond writes out configuration files for wpa_supplicant/hostapd.
# wificond also reads pid files out of this directory