Merge "Block SDK 28 app from using proc/net/xt_qtaguid"

am: c69cbe55 Change-Id: I741c90bf96d43b6ab5227696ac24d8891cf5dc97

Merge "Block SDK 28 app from using proc/net/xt_qtaguid"
c9f91a8c · Chenbo Feng · android-build-merger · 9f33cad7 · c69cbe55 · c9f91a8c
Commit c9f91a8c authored 6 years ago by Chenbo Feng Committed by android-build-merger 6 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -170,14 +170,38 @@ userdebug_or_eng(`
 ')

 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_proc:file rw_file_perms;
 r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
+r_dir_file({
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+}, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_device:chr_file r_file_perms;

 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.