From 43303c8b89ac7792bfc90be4fa4aa338ea9d3be4 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 2 Jan 2018 13:10:46 -0800
Subject: [PATCH] relabel files in /proc/net/xt_qtaguid/

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
---
 private/compat/26.0/26.0.cil | 4 +++-
 private/genfs_contexts       | 1 +
 private/system_server.te     | 1 +
 public/app.te                | 8 +++++---
 public/file.te               | 1 +
 5 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 3b8b0fd1d..78e7b74f1 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -486,7 +486,9 @@
 (typeattributeset proc_meminfo_26_0 (proc_meminfo))
 (typeattributeset proc_misc_26_0 (proc_misc))
 (typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_net_26_0
+  ( proc_net
+    proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))
 (typeattributeset proc_security_26_0 (proc_security))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29bd0c46e..d05d38690 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,7 @@ genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /softirqs u:object_r:proc_timer:s0
diff --git a/private/system_server.te b/private/system_server.te
index e917c8968..f64560803 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -700,6 +700,7 @@ allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_loadavg
   proc_meminfo
diff --git a/public/app.te b/public/app.te
index 3b0495580..582995a56 100644
--- a/public/app.te
+++ b/public/app.te
@@ -171,11 +171,13 @@ userdebug_or_eng(`
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
+# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
+# Exclude isolated app which may not use network sockets.
+r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
diff --git a/public/file.te b/public/file.te
index 9660da2c4..56b6c2fe5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -12,6 +12,7 @@ type proc_overcommit_memory, fs_type;
 type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_abi, fs_type;
 type proc_asound, fs_type;
-- 
GitLab