neverallow some /proc file reads

am: 0b7506ff Change-Id: I8093d316ef2f0e5839073b88351bca4eace75b7b

neverallow some /proc file reads
a824fa33 · Nick Kralevich · android-build-merger · 1d18ef44 · 0b7506ff · a824fa33
Commit a824fa33 authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;

 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;

 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow untrusted_app anr_data_file:file ~{ open append };
 neverallow untrusted_app anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };