Don't audit access to proc_net by network_stack.
It needs to read /proc/net/igmp, /proc/sys/net/ipv4/ip_default_ttl, and sometimes others, and this is causing spurious audit grants.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4f26ee395cff96f6ca73a44ffd2fe431259e8089
diff --git a/private/network_stack.te b/private/network_stack.te
index 4450e02..762e4f8 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -51,6 +51,10 @@
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit network_stack self:key_socket getopt;
+# Allow network_stack to open/read/getattr various /proc/net files
+# (includes /proc/net/{anycast6,igmp,psched} /proc/sys/net/ipv4/ip_default_ttl)
+dontaudit network_stack proc_net:file r_file_perms;
+
# Grant read permission of connectivity namespace system property prefix.
get_prop(network_stack, device_config_connectivity_prop)