087318957f
Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
16 lines
585 B
Text
16 lines
585 B
Text
# preopt2cachename executable
|
|
#
|
|
# This executable translates names from the preopted versions the build system
|
|
# creates to the names the runtime expects in the data directory.
|
|
type preopt2cachename, domain;
|
|
type preopt2cachename_exec, exec_type, file_type;
|
|
|
|
# Allow write to stdout.
|
|
allow preopt2cachename cppreopts:fd use;
|
|
allow preopt2cachename cppreopts:fifo_file { getattr read write };
|
|
|
|
# Allow write to logcat.
|
|
allow preopt2cachename proc_net_type:file r_file_perms;
|
|
userdebug_or_eng(`
|
|
auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
|
|
')
|