neverallow some /proc file reads

am: 0b7506ff53

Change-Id: I8093d316ef2f0e5839073b88351bca4eace75b7b

public/ephemeral_app.te

@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;
 
 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };

public/isolated_app.te

@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };

public/untrusted_app.te

@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow untrusted_app anr_data_file:file ~{ open append };
 neverallow untrusted_app anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };