shell: move shell qtaguid perms to shell.te

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid. Bug: 68774956 Test: atest CtsNativeNetTestCases Test: adb root; atest tagSocket Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

shell: move shell qtaguid perms to shell.te
9d28625f · Jeff Vander Stoep · Jeffrey Vander Stoep · 985db6d8 · 9d28625f · 9d28625f
Commit 9d28625f authored 6 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 6 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -174,6 +174,7 @@ userdebug_or_eng(`
  allow appdomain heapdump_data_file:file append;
 ')
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow {
    untrusted_app_25
@@ -182,9 +183,7 @@ allow {
    priv_app
    system_app
    platform_app
-    shell
 } proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
 r_dir_file({
@@ -194,7 +193,6 @@ r_dir_file({
    priv_app
    system_app
    platform_app
-    shell
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -205,7 +203,6 @@ allow {
    priv_app
    system_app
    platform_app
-    shell
 } qtaguid_device:chr_file r_file_perms;
 # Grant GPU access to all processes started by Zygote.

--- a/public/shell.te
+++ b/public/shell.te
@@ -121,6 +121,7 @@ allow shell {
  proc_meminfo
  proc_modules
  proc_pid_max
+  proc_qtaguid_stat
  proc_stat
  proc_timer
  proc_uptime