tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Disallow access to proc_net for ephemeral_app"

Browse source
This commit is contained in:
Chad Brubaker 2017-03-21 22:24:30 +00:00 committed by Gerrit Code Review
commit 2e7fa9d82f
2 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/app.te
View file

@ -133,7 +133,7 @@ userdebug_or_eng(`
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
r_dir_file(appdomain, proc_net)
r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;

4
private/ephemeral_app.te
View file

@ -52,3 +52,7 @@ neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow ephemeral_app proc_net:file no_rw_file_perms;