From 3638c1b4e73ec51d0ef920d598a2e89e821e04e3 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 24 Jul 2015 13:25:45 -0700
Subject: [PATCH] Do not allow apps to access network address file

Bug: 18068520
Bug: 21852542
Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff
---
 file.te          | 1 +
 system_server.te | 3 +++
 untrusted_app.te | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/file.te b/file.te
index 59a2cc5c0..bbd098e8b 100644
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
diff --git a/system_server.te b/system_server.te
index 905f12744..bb8c6ef97 100644
--- a/system_server.te
+++ b/system_server.te
@@ -430,6 +430,9 @@ allow system_server mnt_expand_file:dir r_dir_perms;
 # Allow system process to relabel the fingerprint directory after mkdir
 allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
 
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 693a13cd6..eb518e32c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-- 
GitLab