Remove access to /proc/net/{tcp,udp}

Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0

private/compat/26.0/26.0.cil

@@ -504,7 +504,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))

private/compat/27.0/27.0.cil

@@ -1218,7 +1218,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))

private/compat/28.0/28.0.cil

@@ -1399,7 +1399,7 @@
 (typeattributeset proc_mounts_28_0 (proc_mounts))
 (typeattributeset proc_net_28_0
   ( proc_net
-    proc_net_vpn))
+    proc_net_tcp_udp))
 (typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
 (typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
 (typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))

private/dumpstate.te

@@ -42,3 +42,4 @@ allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 dontaudit dumpstate perfprofd:binder call;
 dontaudit dumpstate update_engine:binder call;
+allow dumpstate proc_net_tcp_udp:file r_file_perms;

private/genfs_contexts

@@ -17,8 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
-genfscon proc /net/udp u:object_r:proc_net_vpn:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

private/shell.te

@@ -57,3 +57,6 @@ binder_call(shell, bufferhubd);
 
 # Allow shell to use atrace HAL
 hal_client_domain(shell, hal_atrace)
+
+# For hostside tests such as CTS listening ports test.
+allow shell proc_net_tcp_udp:file r_file_perms;

public/app.te

@@ -577,3 +577,8 @@ neverallow appdomain proc_uid_concurrent_policy_time:file *;
 
 # Apps cannot access proc_uid_cpupower
 neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;

public/file.te

@@ -36,7 +36,7 @@ type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
 type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_vpn, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;