domain_deprecated.te: remove /proc/net access

Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
2016-11-30 15:22:18 -08:00 · 2016-11-30 15:22:18 -08:00 · dd649da84b
commit dd649da84b
parent 839c7ded30
4 changed files with 4 additions and 14 deletions
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@ -80,7 +80,6 @@ r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
-r_dir_file(domain_deprecated, proc_net)
 #auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@ -120,19 +119,6 @@ auditallow {
  -zygote
 } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -clatd
-  -dumpstate
-  -init
-  -netd
-  -system_server
-  -vold
-  -wpa
-  -zygote
-} proc_net:{ file lnk_file } r_file_perms;

 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
--- a/public/netd.te
+++ b/public/netd.te
@ -29,6 +29,7 @@ allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;

+r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;

--- a/public/ppp.te
+++ b/public/ppp.te
@ -5,6 +5,8 @@ type ppp_exec, exec_type, file_type;

 net_domain(ppp)

+r_dir_file(ppp, proc_net)
+
 allow ppp mtp:socket rw_socket_perms_no_ioctl;
 allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
--- a/public/rild.te
+++ b/public/rild.te
@ -44,6 +44,7 @@ allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 wakelock_use(rild)

 r_dir_file(rild, proc)
+r_dir_file(rild, proc_net)
 r_dir_file(rild, sysfs_type)
 r_dir_file(rild, system_file)