From 529fcbe06506d62370525f04380ae41ae7fc7892 Mon Sep 17 00:00:00 2001
From: Robert Craig <rpcraig@tycho.ncsc.mil>
Date: Tue, 7 Jan 2014 13:46:56 -0500
Subject: [PATCH] Create proc_net type for /proc/sys/net entries.

/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 dhcp.te        | 3 ++-
 domain.te      | 1 +
 file.te        | 1 +
 genfs_contexts | 1 +
 netd.te        | 3 +--
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dhcp.te b/dhcp.te
index 5856a260f..e7103608f 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,8 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index 4aa9c10e6..a49898048 100644
--- a/domain.te
+++ b/domain.te
@@ -106,6 +106,7 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
 
 # debugfs access
 allow domain debugfs:dir r_dir_perms;
diff --git a/file.te b/file.te
index 3ca9fd7b2..e255ae949 100644
--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@ type proc_security, fs_type;
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 8560e38d3..99d4400ee 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
diff --git a/netd.te b/netd.te
index 72784da8b..f8c9ffbbc 100644
--- a/netd.te
+++ b/netd.te
@@ -16,8 +16,7 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
-allow netd proc:file write;
+allow netd proc_net:file write;
 
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.
-- 
GitLab