Merge "/proc, /sys access from uncrypt, update_engine, postinstall_dexopt"

71b19aa6 · Tri Vo · Gerrit Code Review · 37760442 · 04fb82f2 · 71b19aa6
Commit 71b19aa6 authored 7 years ago by Tri Vo Committed by Gerrit Code Review 7 years ago
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,20 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0
+  ( proc
+    proc_asound
+    proc_cmdline
+    proc_filesystems
+    proc_kmsg
+    proc_loadavg
+    proc_mounts
+    proc_pagetypeinfo
+    proc_random
+    proc_swaps
+    proc_uid_time_in_state
+    proc_version
+    proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
@@ -568,6 +581,7 @@
  ( sysfs
    sysfs_android_usb
    sysfs_dm
+    sysfs_dt_firmware_android
    sysfs_ipv4
    sysfs_net
    sysfs_power

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -33,6 +33,7 @@ genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
@@ -73,6 +74,7 @@ genfscon sysfs /devices/virtual/block/zram1/uevent    u:object_r:sysfs_zram_ueve
 genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
 genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0

--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@ type proc_mounts, fs_type;
 type proc_net, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
+type proc_random, fs_type;
 type proc_stat, fs_type;
 type proc_swaps, fs_type;
 type proc_sysrq, fs_type;
@@ -49,6 +50,7 @@ type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
 type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;

--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -10,7 +10,7 @@ allow postinstall_dexopt self:capability { chown dac_override fowner setgid setu
 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };
 allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
 allow postinstall_dexopt tmpfs:file read;

 # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -135,8 +135,6 @@ recovery_only(`
  # This line seems suspect, as it should not really need to
  # set scheduling parameters for a kernel domain task.
  allow recovery kernel:process setsched;
-
-  allow recovery proc_cmdline:file r_file_perms;
 ')

 ###

--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -42,4 +42,4 @@ r_dir_file(uncrypt, rootfs)
 allow uncrypt proc_cmdline:file r_file_perms;

 # Read files in /sys
-r_dir_file(uncrypt, sysfs)
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -40,12 +40,8 @@ allow update_engine ota_package_file:dir r_dir_perms;
 # Use Boot Control HAL
 hal_client_domain(update_engine, hal_bootctl)

-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
+# access /proc/misc
 allow update_engine proc_misc:file r_file_perms;

 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(update_engine, sysfs)
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,3 +37,10 @@ allow update_engine_common shell_exec:file rx_file_perms;

 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline and /proc/sys/kernel/random/
+allow update_engine_common proc_cmdline:file r_file_perms;
+r_dir_file(update_engine_common, proc_random)
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)