Don't audit access to proc_net by network_stack - try 2
Test: TreeHugger, cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib9b97a7749a5433730f366502bdc50de66f38d74
diff --git a/private/app.te b/private/app.te
index b9a6d85..b359663 100644
--- a/private/app.te
+++ b/private/app.te
@@ -6,6 +6,7 @@
appdomain
-ephemeral_app
-isolated_app_all
+ -network_stack
-platform_app
-priv_app
-shell
@@ -19,6 +20,7 @@
appdomain
-ephemeral_app
-isolated_app_all
+ -network_stack
-platform_app
-priv_app
-shell
diff --git a/private/network_stack.te b/private/network_stack.te
index 762e4f8..8a07245 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -53,7 +53,7 @@
# Allow network_stack to open/read/getattr various /proc/net files
# (includes /proc/net/{anycast6,igmp,psched} /proc/sys/net/ipv4/ip_default_ttl)
-dontaudit network_stack proc_net:file r_file_perms;
+r_dir_file(network_stack, proc_net_type)
# Grant read permission of connectivity namespace system property prefix.
get_prop(network_stack, device_config_connectivity_prop)