Revert /proc/net related changes

Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc and commit 99940d1a Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

Revert /proc/net related changes
5cf3994d · Nick Kralevich · 28ddd104 · 5cf3994d · 5cf3994d · 5cf3994d
Commit 5cf3994d authored 10 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -83,7 +83,6 @@ allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdow
 allow appdomain shell_data_file:file { write getattr };
 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain proc_net:dir search;
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.

--- a/clatd.te
+++ b/clatd.te
@@ -15,7 +15,6 @@ allow clatd netd:udp_socket { read write };
 allow clatd netd:unix_stream_socket { read write };
 allow clatd netd:unix_dgram_socket { read write };
-r_dir_file(clatd, proc_net)
 allow clatd self:capability { net_admin net_raw setuid setgid };
 allow clatd self:netlink_route_socket nlmsg_write;

--- a/dhcp.te
+++ b/dhcp.te
@@ -12,8 +12,7 @@ allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file rw_file_perms;
+allow dhcp proc_net:file write;
-allow dhcp proc_net:dir r_dir_perms;
 allow dhcp dhcp_prop:property_service set;
 allow dhcp pan_result_prop:property_service set;
 unix_socket_connect(dhcp, property, init)

--- a/domain.te
+++ b/domain.te
@@ -145,9 +145,8 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
 allow domain proc_cpuinfo:file r_file_perms;
-allow domain proc_net:dir search;
-allow domain proc_net_psched:file r_file_perms;
 # debugfs access
 allow domain debugfs:dir r_dir_perms;

--- a/dumpstate.te
+++ b/dumpstate.te
@@ -61,7 +61,6 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
 allow dumpstate sysfs:file w_file_perms;
 # Other random bits of data we want to collect
-allow dumpstate proc_net:dir search;
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;

--- a/file.te
+++ b/file.te
@@ -12,7 +12,6 @@ type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_net, fs_type;
-type proc_net_psched, fs_type;
 type proc_sysrq, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,7 +3,6 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/psched u:object_r:proc_net_psched:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0

--- a/init.te
+++ b/init.te
@@ -124,8 +124,7 @@ allow init proc_security:file rw_file_perms;
 allow init proc:file w_file_perms;
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-allow init proc_net:file rw_file_perms;
+allow init proc_net:file w_file_perms;
-allow init proc_net:dir r_dir_perms;
 allow init self:capability net_admin;
 # Write to /proc/sysrq-trigger.

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -61,7 +61,6 @@ allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver proc_net:dir search;
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;

--- a/netd.te
+++ b/netd.te
@@ -24,8 +24,7 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net:file write;
-allow netd proc_net:dir r_dir_perms;
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.

--- a/radio.te
+++ b/radio.te
@@ -17,7 +17,6 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms;
 allow radio alarm_device:chr_file rw_file_perms;
-r_dir_file(radio, proc_net)
 allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -91,7 +91,6 @@ allow system_server appdomain:file write;
 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
-r_dir_file(system_server, proc_net)
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;