From 50bb7b5a67317dd9bff830f107d432d9048f8045 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 3 Mar 2017 12:17:49 -0800
Subject: [PATCH] Label /proc/misc

Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75
---
 private/genfs_contexts         | 1 +
 private/untrusted_app_25.te    | 4 ++++
 public/file.te                 | 1 +
 public/update_engine_common.te | 5 ++++-
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/private/genfs_contexts b/private/genfs_contexts
index d1e1b91f2..e84b49433 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -6,6 +6,7 @@ genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index cba0161c2..cd3f32bee 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -31,3 +31,7 @@ create_pty(untrusted_app_25)
 # b/34115651 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 5cbc75a57..6aecab48f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@ type proc_cpuinfo, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_meminfo, fs_type;
+type proc_misc, fs_type;
 type proc_net, fs_type;
 type proc_stat, fs_type;
 type proc_sysrq, fs_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 9409947ab..29d730ce4 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,10 @@ allow update_engine_common shell_exec:file rx_file_perms;
 allow update_engine_common postinstall:process { signal sigstop };
 
 # access /proc/misc
-allow update_engine proc:file r_file_perms;
+# Access is also granted to proc:file, but it is likely unneeded
+# due to the more specific grant to proc_misc immediately below.
+allow update_engine proc:file r_file_perms; # delete candidate
+allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
-- 
GitLab