priv_app: remove /proc/net access
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.
Access for most third party applications was removed in commit
d78e07cbb7
. This change applies the same
constraints to priv-apps that we apply to normal apps.
Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
This commit is contained in:
parent
a813114831
commit
dfc3c33689
@ -85,13 +85,6 @@ allow priv_app {
|
||||
proc_vmstat
|
||||
}:file r_file_perms;
|
||||
|
||||
# /proc/net access.
|
||||
# TODO(b/9496886) Audit access for removal.
|
||||
r_dir_file(priv_app, proc_net_type)
|
||||
userdebug_or_eng(`
|
||||
auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
|
||||
')
|
||||
|
||||
allow priv_app sysfs_type:dir search;
|
||||
# Read access to /sys/class/net/wlan*/address
|
||||
r_dir_file(priv_app, sysfs_net)
|
||||
|
Loading…
Reference in New Issue
Block a user