Remove untrusted app access to /proc/net

This change is for testing potential app-compat issues when removing
access to file in /proc/net. See: b/114475727#comment11.

Bug: 114475727
Test: build/boot taimen.
Test: atest CtsLibcoreOjTestCases
Test: FileSystemPermissionTest
Test: ListeningPortsTest b/114772424
Change-Id: I1db1c2b41308e47c9ec9db57ea8597a650c8906d
(cherry picked from commit 6784f80bad)
This commit is contained in:
Jeff Vander Stoep 2018-09-10 12:32:31 -07:00
parent 6cd9bd078a
commit d78e07cbb7

View file

@ -135,18 +135,6 @@ dontaudit untrusted_app_all proc_uptime:file read;
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
# /proc/net access.
# TODO(b/9496886) Audit access for removal.
# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
# limited through a mechanism other than SELinux.
r_dir_file(untrusted_app_all, proc_net_type)
userdebug_or_eng(`
auditallow untrusted_app_all {
proc_net_type
-proc_net_vpn
}:{ dir file lnk_file } { getattr open read };
')
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this