From 84f9685972714ac0a897be99ac1b49bd24447f3a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 15 Dec 2017 16:22:39 -0800
Subject: [PATCH] Audit app access to /proc/net/*
Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.
Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r-- 1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats
Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
No "denied" or "granted" selinux messages observed in the logs.
Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef
---
private/app.te | 1 +
private/compat/26.0/26.0.cil | 4 +++-
private/genfs_contexts | 1 +
public/domain.te | 4 ++++
public/file.te | 1 +
5 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/private/app.te b/private/app.te
index 184629d05..38203c7aa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -177,6 +177,7 @@ userdebug_or_eng(`
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
r_dir_file({ appdomain -ephemeral_app}, proc_net)
+auditallow appdomain proc_net:file *; # ({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 83baf9260..05b8f4fc7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -486,7 +486,9 @@
(typeattributeset proc_meminfo_26_0 (proc_meminfo))
(typeattributeset proc_misc_26_0 (proc_misc))
(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_net_26_0
+ ( proc_net
+ proc_net_xt_qtaguid_stats))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
(typeattributeset proc_security_26_0 (proc_security))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8e24f75f8..723ec5287 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,7 @@ genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /net/xt_qtaguid/stats u:object_r:proc_net_xt_qtaguid_stats:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
diff --git a/public/domain.te b/public/domain.te
index eb02021fd..b723a9d93 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -24,6 +24,10 @@ allow domain self:process {
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net:dir search;
+# STOPSHIP remove (b/70722355). This is granted temporarily to gather info
+# on uses of /proc/net/. /proc/net/xt_qtaguid/stats is broadly used including
+# by apps.
+allow domain proc_net_xt_qtaguid_stats:file r_file_perms;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/public/file.te b/public/file.te
index 314405c48..84b1708fa 100644
--- a/public/file.te
+++ b/public/file.te
@@ -33,6 +33,7 @@ type proc_misc, fs_type;
type proc_modules, fs_type;
type proc_mounts, fs_type;
type proc_net, fs_type;
+type proc_net_xt_qtaguid_stats, fs_type;
type proc_overflowuid, fs_type;
type proc_page_cluster, fs_type;
type proc_pagetypeinfo, fs_type;
--
GitLab