From 0f0324cc826afb9beefda802d496befe823a081e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 22 Jan 2015 10:59:21 -0800
Subject: [PATCH] domain.te: allow /proc/net/psched access

external/sepolicy commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf
---
 domain.te      | 2 ++
 file.te        | 1 +
 genfs_contexts | 1 +
 3 files changed, 4 insertions(+)

diff --git a/domain.te b/domain.te
index 08aa4c167..06c0bddbc 100644
--- a/domain.te
+++ b/domain.te
@@ -146,6 +146,8 @@ r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 allow domain proc_cpuinfo:file r_file_perms;
+allow domain proc_net:dir search;
+allow domain proc_net_psched:file r_file_perms;
 
 # debugfs access
 allow domain debugfs:dir r_dir_perms;
diff --git a/file.te b/file.te
index e1de664c3..9ec6a20be 100644
--- a/file.te
+++ b/file.te
@@ -12,6 +12,7 @@ type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_net, fs_type;
+type proc_net_psched, fs_type;
 type proc_sysrq, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 31b7e4f64..2f60ad1c5 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/psched u:object_r:proc_net_psched:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-- 
GitLab