Do not allow apps to access network address file

Bug: 18068520 Bug: 21852542 Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049

Do not allow apps to access network address file
e45cad77 · Jeff Vander Stoep · 1a6e29e2 · e45cad77 · e45cad77 · e45cad77
Commit e45cad77 authored 9 years ago by Jeff Vander Stoep
--- a/file.te
+++ b/file.te
@@ -21,6 +21,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller

--- a/system_server.te
+++ b/system_server.te
@@ -146,6 +146,7 @@ selinux_check_access(system_server)
 allow system_server sysfs:file rw_file_perms;
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;

 # Access devices.
 allow system_server device:dir r_dir_perms;

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -142,3 +142,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;