PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

priv_app: remove /proc/net access

Browse Source 
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.

Access for most third party applications was removed in commit
d78e07cbb7. This change applies the same
constraints to priv-apps that we apply to normal apps.

Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
This commit is contained in:
Nick Kralevich 2018-10-18 09:44:50 -07:00
parent a813114831
commit dfc3c33689
1 changed files with 0 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
private/priv_app.te
View File

@ -85,13 +85,6 @@ allow priv_app {
proc_vmstat
}:file r_file_perms;
# /proc/net access.
# TODO(b/9496886) Audit access for removal.
r_dir_file(priv_app, proc_net_type)
userdebug_or_eng(`
auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)