From c4a938e75b01c37a209483904916f0939424b53a Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Wed, 15 Mar 2017 14:26:18 -0700
Subject: [PATCH] Disallow access to proc_net for ephemeral_app

Test: Boots, runs
Bug: 32713782
Change-Id: Ia58db3c4c0159482f08e72ef638f3e1736095918
---
 private/app.te           | 2 +-
 private/ephemeral_app.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/private/app.te b/private/app.te
index 04be106f3..f21887e92 100644
--- a/private/app.te
+++ b/private/app.te
@@ -133,7 +133,7 @@ userdebug_or_eng(`
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827b2..2b0515ad9 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@ neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;