From 886aa54bab8f8c941bd32bd3317cc1c6c25ccaf5 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 28 Mar 2018 15:34:37 -0700
Subject: [PATCH] Improve neverallows on /proc and /sys

Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
---
 private/app_neverallows.te | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 78c1b8615..f998e5504 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -36,6 +36,10 @@ neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write
 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
 
+# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
+# but otherwise disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
@@ -58,7 +62,10 @@ neverallow all_untrusted_apps file_type:file link;
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
 
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
@@ -119,9 +126,12 @@ neverallow all_untrusted_apps {
   proc_loadavg
   proc_mounts
   proc_pagetypeinfo
+  proc_stat
   proc_swaps
+  proc_uptime
   proc_version
   proc_vmallocinfo
+  proc_vmstat
 }:file { no_rw_file_perms no_x_file_perms };
 
 # Avoid all access to kernel configuration
-- 
GitLab