Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results

genfs_contexts

Blame
    • Jeff Vander Stoep's avatar
      43303c8b
      relabel files in /proc/net/xt_qtaguid/ · 43303c8b
      Jeff Vander Stoep authored
      /proc/net/xt_qtaguid is used by apps to track their network data
      use. Limit access to just zygote spawned processes - apps and
      system_server, omitting access to isolated_app which is not allowed
      to create network sockets.
      As Android moves to eBPF for app's network data stats, access to
      /proc/net/xt_qtaguid will be removed entirely. Segmenting access off
      is the first step.
      Bug: 68774956
      
      This change also helps further segment and whitelist access to
      files in /proc/net and is a step in the lockdown of /proc/net.
      Bug: 9496886
      
      Test: boot Taimen. Walk through setup-wizard. Make phone call and
          video call. Browse web. Watch youtube. Navigate in maps.
      Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
          android.appsecurity.cts.AppSecurityTests
      Test: cts-tradefed run cts -m CtsNativeNetTestCases
      Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
          com.android.server.cts.NetstatsIncidentTest
      Test: cts-tradefed run cts -m CtsOsTestCases -t \
          android.os.cts.StrictModeTest
      Test: cts-tradefed run cts -m CtsNetTestCases -t \
          android.net.cts.TrafficStatsTest
      Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
          android.app.usage.cts.NetworkUsageStatsTest
      Test: vts-tradefed run vts -m VtsQtaguidTest
      Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
      43303c8b
      History
      relabel files in /proc/net/xt_qtaguid/
      Jeff Vander Stoep authored
      /proc/net/xt_qtaguid is used by apps to track their network data
      use. Limit access to just zygote spawned processes - apps and
      system_server, omitting access to isolated_app which is not allowed
      to create network sockets.
      As Android moves to eBPF for app's network data stats, access to
      /proc/net/xt_qtaguid will be removed entirely. Segmenting access off
      is the first step.
      Bug: 68774956
      
      This change also helps further segment and whitelist access to
      files in /proc/net and is a step in the lockdown of /proc/net.
      Bug: 9496886
      
      Test: boot Taimen. Walk through setup-wizard. Make phone call and
          video call. Browse web. Watch youtube. Navigate in maps.
      Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
          android.appsecurity.cts.AppSecurityTests
      Test: cts-tradefed run cts -m CtsNativeNetTestCases
      Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
          com.android.server.cts.NetstatsIncidentTest
      Test: cts-tradefed run cts -m CtsOsTestCases -t \
          android.os.cts.StrictModeTest
      Test: cts-tradefed run cts -m CtsNetTestCases -t \
          android.net.cts.TrafficStatsTest
      Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
          android.app.usage.cts.NetworkUsageStatsTest
      Test: vts-tradefed run vts -m VtsQtaguidTest
      Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea