neverallow some /proc file reads

Lock in the gains we've made so far in restricting access to generically labeled /proc files. There's more we can do here, but let's avoid inadvertent regressions. Test: policy compiles. Only compile time assertions added. Bug: 26813932 Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a

neverallow some /proc file reads
0b7506ff · Nick Kralevich · 11dc03e5 · 0b7506ff · 0b7506ff · 0b7506ff
Commit 0b7506ff authored 8 years ago by Nick Kralevich
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;
 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow untrusted_app anr_data_file:file ~{ open append };
 neverallow untrusted_app anr_data_file:dir ~search;
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };