From 5ec8f8432be8072711b388eb0e6696945c04950f Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Thu, 8 Feb 2018 12:52:13 -0800
Subject: [PATCH] Block SDK 28 app from using proc/net/xt_qtaguid

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
---
 public/app.te | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/public/app.te b/public/app.te
index 3c29946c8..e6bf8886d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,14 +170,38 @@ userdebug_or_eng(`
 ')
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_proc:file rw_file_perms;
 r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
+r_dir_file({
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+}, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-- 
GitLab