From 84e181bcd7b31050e796317c645ee7b382a5bc5b Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Sun, 5 Nov 2017 15:35:16 -0800
Subject: [PATCH] init: label /proc dependencies and remove access to proc

New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2
---
 private/compat/26.0/26.0.cil | 10 ++++++++++
 private/domain.te            |  1 -
 private/genfs_contexts       | 20 ++++++++++++++++++++
 public/file.te               | 10 ++++++++++
 public/init.te               | 17 +++++++++++++----
 5 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 00b68d29d..a1e6b5fde 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -450,18 +450,28 @@
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
 (typeattributeset proc_26_0
   ( proc
+    proc_abi
     proc_asound
     proc_cmdline
+    proc_dirty
+    proc_diskstats
+    proc_extra_free_kbytes
     proc_filesystems
+    proc_hostname
+    proc_hung_task
     proc_kmsg
     proc_loadavg
+    proc_max_map_count
     proc_mounts
     proc_overflowuid
     proc_page_cluster
     proc_pagetypeinfo
+    proc_panic
     proc_random
+    proc_sched
     proc_swaps
     proc_uid_time_in_state
+    proc_uptime
     proc_version
     proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
diff --git a/private/domain.te b/private/domain.te
index 6be50826f..95150741e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -init
     -platform_app
     -priv_app
     -shell
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ee17d498c..9c08934d5 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@ genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
@@ -22,22 +23,40 @@ genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /swaps u:object_r:proc_swaps:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/random u:object_r:proc_random:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
@@ -52,6 +71,7 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
diff --git a/public/file.te b/public/file.te
index 37ebde4d6..0798bd1cd 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,14 +13,21 @@ type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_abi, fs_type;
 type proc_asound, fs_type;
 type proc_cmdline, fs_type;
 type proc_cpuinfo, fs_type;
+type proc_dirty, fs_type;
+type proc_diskstats, fs_type;
+type proc_extra_free_kbytes, fs_type;
 type proc_filesystems, fs_type;
+type proc_hostname, fs_type;
+type proc_hung_task, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_kmsg, fs_type;
 type proc_loadavg, fs_type;
+type proc_max_map_count, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
@@ -29,8 +36,10 @@ type proc_net, fs_type;
 type proc_overflowuid, fs_type;
 type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
+type proc_panic, fs_type;
 type proc_perf, fs_type;
 type proc_random, fs_type;
+type proc_sched, fs_type;
 type proc_stat, fs_type;
 type proc_swaps, fs_type;
 type proc_sysrq, fs_type;
@@ -41,6 +50,7 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
diff --git a/public/init.te b/public/init.te
index 06f623166..deeb88727 100644
--- a/public/init.te
+++ b/public/init.te
@@ -209,6 +209,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
 allow init {
   fs_type
   -contextmount_type
+  -proc
   -sdcard_type
   -rootfs
 }:file { open read setattr };
@@ -262,16 +263,28 @@ r_dir_file(init, proc_net)
 
 allow init {
   proc_cmdline
+  proc_diskstats
+  proc_kmsg # Open /proc/kmsg for logd service.
   proc_meminfo
   proc_overflowuid
   proc_stat # Read /proc/stat for bootchart.
+  proc_uptime
   proc_version
 }:file r_file_perms;
 
 allow init {
+  proc_abi
+  proc_dirty
+  proc_hostname
+  proc_hung_task
+  proc_extra_free_kbytes
   proc_net
+  proc_max_map_count
   proc_overcommit_memory
+  proc_panic
   proc_page_cluster
+  proc_perf
+  proc_sched
   proc_sysrq
 }:file w_file_perms;
 
@@ -282,10 +295,6 @@ allow init {
 # Set usermodehelpers.
 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
 allow init self:capability net_admin;
 
 # Reboot.
-- 
GitLab