Disallow access to proc_net for ephemeral_app Test: Boots, runs Bug: 32713782 Change-Id: Ia58db3c4c0159482f08e72ef638f3e1736095918

commit: c4a938e75b01c37a209483904916f0939424b53a [log] [tgz]
author: Chad Brubaker <cbrubaker@google.com> Wed Mar 15 14:26:18 2017 -0700
committer: Chad Brubaker <cbrubaker@google.com> Tue Mar 21 12:28:49 2017 -0700
tree: 624eab732f1b94d6a84b40ae50dddf7db90fffb8
parent: 1222ece97ad7be3a077c54ebbc39e55f992a03e2 [diff]
diff --git a/private/app.te b/private/app.te
index 04be106..f21887e 100644
--- a/private/app.te
+++ b/private/app.te

@@ -133,7 +133,7 @@
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -52,3 +52,7 @@
 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
commit	c4a938e75b01c37a209483904916f0939424b53a	[log] [tgz]
author	Chad Brubaker <cbrubaker@google.com>	Wed Mar 15 14:26:18 2017 -0700
committer	Chad Brubaker <cbrubaker@google.com>	Tue Mar 21 12:28:49 2017 -0700
tree	624eab732f1b94d6a84b40ae50dddf7db90fffb8
parent	1222ece97ad7be3a077c54ebbc39e55f992a03e2 [diff]