From 0b7506ff53b8c1b9c7582b056536df8faaa3c22a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 22 Nov 2016 13:16:49 -0800
Subject: [PATCH] neverallow some /proc file reads

Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.

Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
---
 public/ephemeral_app.te | 4 ++++
 public/isolated_app.te  | 4 ++++
 public/untrusted_app.te | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 481cfa5ce..44572e184 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;
 
 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 007fc744b..008e0e210 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 9f62b77e9..16edf7945 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow untrusted_app anr_data_file:file ~{ open append };
 neverallow untrusted_app anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };
-- 
GitLab