Label /proc/config.gz

Add a label to /proc/config.gz, so we can distinguish this file from other /proc files in security policy. For now, only init is allowed read access. All others are denied. TODO: clarify exactly who needs access. Further access will be granted in a future commit. Bug: 35126415 Test: policy compiles and no device boot problems. Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860

Label /proc/config.gz
Add a label to /proc/config.gz, so we can distinguish this file from other /proc files in security policy. For now, only init is allowed read access. All others are denied. TODO: clarify exactly who needs access. Further access will be granted in a future commit. Bug: 35126415 Test: policy compiles and no device boot problems. Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860
929da014 · Nick Kralevich · d419ed8f · 929da014 · 929da014
Commit 929da014 authored 8 years ago by Nick Kralevich
--- a/private/file.te
+++ b/private/file.te
@@ -2,3 +2,6 @@
 typealias audio_data_file alias audio_firmware_file;
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0