From c1031b557a9a32d035f97e84f4d9208f02da712a Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Sun, 1 Oct 2017 15:53:01 -0700
Subject: [PATCH] Restrict netd fwk policy.

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717acbf0f2152fd92f839953395b741a3)
---
 private/compat/26.0/26.0.cil | 1 +
 private/genfs_contexts       | 1 +
 public/file.te               | 1 +
 public/netd.te               | 6 ++++--
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a791009c9..2a32f141e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -569,6 +569,7 @@
     sysfs_android_usb
     sysfs_dm
     sysfs_ipv4
+    sysfs_net
     sysfs_power
     sysfs_rtc
     sysfs_switch
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2cc6f70db..c28d0cff9 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -72,6 +72,7 @@ genfscon sysfs /devices/virtual/block/zram1     u:object_r:sysfs_zram:s0
 genfscon sysfs /devices/virtual/block/zram0/uevent    u:object_r:sysfs_zram_uevent:s0
 genfscon sysfs /devices/virtual/block/zram1/uevent    u:object_r:sysfs_zram_uevent:s0
 genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
diff --git a/public/file.te b/public/file.te
index 435b85238..323198a8f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -55,6 +55,7 @@ type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
 type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
diff --git a/public/netd.te b/public/netd.te
index aa99da21a..a1917b373 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -38,9 +38,11 @@ r_dir_file(netd, proc_net)
 allow netd proc_net:file rw_file_perms;
 
 # Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
 # Allows setting interface MTU
-allow netd sysfs:file write;
+allow netd sysfs_net:file w_file_perms;
 
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
-- 
GitLab