Disallow access to proc_net for ephemeral_app Test: Boots, runs Bug: 32713782 Change-Id: Ia58db3c4c0159482f08e72ef638f3e1736095918

commit: c4a938e75b01c37a209483904916f0939424b53a [log] [tgz]
author: Chad Brubaker <cbrubaker@google.com> Wed Mar 15 14:26:18 2017 -0700
committer: Chad Brubaker <cbrubaker@google.com> Tue Mar 21 12:28:49 2017 -0700
tree: 624eab732f1b94d6a84b40ae50dddf7db90fffb8
parent: 1222ece97ad7be3a077c54ebbc39e55f992a03e2 [diff] [blame]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -52,3 +52,7 @@
 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
commit	c4a938e75b01c37a209483904916f0939424b53a	[log] [tgz]
author	Chad Brubaker <cbrubaker@google.com>	Wed Mar 15 14:26:18 2017 -0700
committer	Chad Brubaker <cbrubaker@google.com>	Tue Mar 21 12:28:49 2017 -0700
tree	624eab732f1b94d6a84b40ae50dddf7db90fffb8
parent	1222ece97ad7be3a077c54ebbc39e55f992a03e2 [diff] [blame]