Merge "Allow only public-readable to ro.secure and ro.adb.secure"

commit: c828802643791265d65e05f224edc0b3a38b2e25 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Sun Mar 18 23:21:34 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Sun Mar 18 23:21:34 2018 +0000
tree: 01a4d0718a6ea7d55ed5dbea24b66444cab80280
parent: eecc0ed4eb4ffc659dc13a0833765b6813245e70 [diff]
parent: 62acbce4a2b7b95a58cbd3d7dddf94870405192b [diff]
diff --git a/public/netd.te b/public/netd.te
index 0e9e08c..c056ea9 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -146,3 +146,12 @@
 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;
commit	c828802643791265d65e05f224edc0b3a38b2e25	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Sun Mar 18 23:21:34 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Sun Mar 18 23:21:34 2018 +0000
tree	01a4d0718a6ea7d55ed5dbea24b66444cab80280
parent	eecc0ed4eb4ffc659dc13a0833765b6813245e70 [diff]
parent	62acbce4a2b7b95a58cbd3d7dddf94870405192b [diff]