Merge "init: restrict setattr perms to /proc."

4bb33bc3 · Tri Vo · Gerrit Code Review · 65352c90 · d0fe17ca · 4bb33bc3
Commit 4bb33bc3 authored 6 years ago by Tri Vo Committed by Gerrit Code Review 6 years ago
--- a/public/init.te
+++ b/public/init.te
@@ -227,7 +227,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
 allow init {
  fs_type
  -contextmount_type
-  -proc
+  -proc_type
  -sdcard_type
  -sysfs_type
  -rootfs
@@ -311,6 +311,17 @@ allow init {
  proc_security
 }:file rw_file_perms;

+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_kmsg
+  proc_net
+  proc_qtaguid_stat
+  proc_sysrq
+  proc_qtaguid_ctrl
+  proc_vmallocinfo
+}:file setattr;
+
 # init access to /sys files.
 allow init {
  sysfs_android_usb