From dd649da84b5bb9e54a180d45c4c5b754750bd779 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 30 Nov 2016 15:22:18 -0800
Subject: [PATCH] domain_deprecated.te: remove /proc/net access

Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.

Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
---
 public/domain_deprecated.te | 14 --------------
 public/netd.te              |  1 +
 public/ppp.te               |  2 ++
 public/rild.te              |  1 +
 4 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a8320b51d..13b18fa25 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -80,7 +80,6 @@ r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
-r_dir_file(domain_deprecated, proc_net)
 #auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -120,19 +119,6 @@ auditallow {
   -zygote
 } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -clatd
-  -dumpstate
-  -init
-  -netd
-  -system_server
-  -vold
-  -wpa
-  -zygote
-} proc_net:{ file lnk_file } r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index dc4a1b3ee..45a19525c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,7 @@ allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
+r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
 
diff --git a/public/ppp.te b/public/ppp.te
index 5708822ee..9c1b7078b 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,6 +5,8 @@ type ppp_exec, exec_type, file_type;
 
 net_domain(ppp)
 
+r_dir_file(ppp, proc_net)
+
 allow ppp mtp:socket rw_socket_perms_no_ioctl;
 allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
diff --git a/public/rild.te b/public/rild.te
index 85aa04415..bc6d6293d 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -44,6 +44,7 @@ allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 wakelock_use(rild)
 
 r_dir_file(rild, proc)
+r_dir_file(rild, proc_net)
 r_dir_file(rild, sysfs_type)
 r_dir_file(rild, system_file)
 
-- 
GitLab