From 8c2323d3f9d052ddb7c2a3ef87db59d13f5021c0 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 14 Sep 2017 13:59:09 -0700
Subject: [PATCH] Explicitly label system_server's dependencies in /proc

Labeled:
/proc/asound/cards -> proc_asound_cards
/proc/loadavg -> proc_loadavg
/proc/pagetypeinfo -> proc_pagetypeinfo
/proc/version -> proc_version
/proc/vmallocinfo -> proc_vmallocinfo

system_server: added access to all new types  and removed access to proc label.
init: added access to proc_version.
dumpstate: added access to proc_pagetypeinfo, proc_version,
proc_vmallocinfo.
hal_audio: added access to proc_asound_cards.
all_untrusted_apps: extended neverallow rule to include new labels.

Bug: 65980789
Test: device boots without selinux denials to the newly introduced
labels.
Test: "adb shell dumpstate" throws no violations to new labels.
Change-Id: Ic60facd3d4776e38d5e3ba003d06ada4e52c7dca
---
 private/app_neverallows.te   | 10 +++++++++-
 private/compat/26.0/26.0.cil |  2 +-
 private/genfs_contexts       |  5 +++++
 private/system_server.te     |  6 +++++-
 public/dumpstate.te          |  3 +++
 public/file.te               |  5 +++++
 public/hal_audio.te          |  1 +
 public/init.te               |  3 +++
 8 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index dd0daeb88..280649e0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -108,7 +108,15 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+neverallow all_untrusted_apps {
+  proc
+  proc_asound_cards
+  proc_kmsg
+  proc_loadavg
+  proc_pagetypeinfo
+  proc_version
+  proc_vmallocinfo
+}:file { no_rw_file_perms no_x_file_perms };
 
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9f1643b8d..f76be005b 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -446,7 +446,7 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state proc_kmsg))
+(typeattributeset proc_26_0 (proc proc_asound_cards proc_kmsg proc_loadavg proc_pagetypeinfo proc_uid_time_in_state proc_version proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0375d158..01c63698f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,16 +2,19 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
@@ -42,6 +45,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/private/system_server.te b/private/system_server.te
index 109587e28..c1b184a31 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -675,9 +675,13 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
-r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_asound_cards)
+r_dir_file(system_server, proc_loadavg)
 r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_pagetypeinfo)
+r_dir_file(system_server, proc_version)
+r_dir_file(system_server, proc_vmallocinfo)
 r_dir_file(system_server, rootfs)
 r_dir_file(system_server, sysfs_type)
 
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3abf75000..d0204a50b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -153,6 +153,9 @@ read_runtime_log_tags(dumpstate)
 # Read files in /proc
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
+allow dumpstate proc_pagetypeinfo:file r_file_perms;
+allow dumpstate proc_version:file r_file_perms;
+allow dumpstate proc_vmallocinfo:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
 # Read network state info files.
diff --git a/public/file.te b/public/file.te
index b49ff78b7..f7704b586 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,14 +13,17 @@ type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_asound_cards, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_kmsg, fs_type;
+type proc_loadavg, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
 type proc_net, fs_type;
+type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
 type proc_stat, fs_type;
 type proc_sysrq, fs_type;
@@ -31,6 +34,8 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_version, fs_type;
+type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 33330bf6b..be7e23550 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
 ')
 
 r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound_cards)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 
diff --git a/public/init.te b/public/init.te
index f317877c2..eb7b19885 100644
--- a/public/init.te
+++ b/public/init.te
@@ -271,6 +271,9 @@ allow init proc_sysrq:file w_file_perms;
 # Read /proc/stat for bootchart.
 allow init proc_stat:file r_file_perms;
 
+# Read /proc/version.
+allow init proc_version:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;
 
-- 
GitLab