From fad0b04de1f131aa64c6efa1314b3eb69f0bb9e9 Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Fri, 26 Jan 2018 14:11:12 -0800
Subject: [PATCH] Remove app access to qtaguid ctrl/stats file

Remove the untrusted apps and priviledged apps from the group that can
directly access xt_qtaguid module related file. All apps that need to
access app network usage data need to use the public API provided in
framework.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with either wifi is on or off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsNativeNetTestCases
Bug: 68774956 30950746

Change-Id: I9b3db819d6622611d5b512ef821abb4c28d6c9eb
---
 public/app.te | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/public/app.te b/public/app.te
index 3c29946c8..1fd818645 100644
--- a/public/app.te
+++ b/public/app.te
@@ -169,15 +169,7 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
 r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
@@ -550,3 +542,8 @@ neverallow appdomain proc_uid_concurrent_policy_time:file *;
 
 # Apps cannot access proc_uid_cpupower
 neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps cannot access proc/net/xt_qtaguid/ files anymore since P.
+neverallow { appdomain -shell } qtaguid_proc:file rw_file_perms;
+neverallow { appdomain -shell } proc_qtaguid_stat:{ file lnk_file } r_file_perms;
+neverallow { appdomain -shell } qtaguid_device:chr_file r_file_perms;
-- 
GitLab