From 929da014e6f2c4e97638f28c1b3bb6490122ea53 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 16 Feb 2017 12:04:40 -0800
Subject: [PATCH] Label /proc/config.gz

Add a label to /proc/config.gz, so we can distinguish this file from
other /proc files in security policy.

For now, only init is allowed read access. All others are denied.
TODO: clarify exactly who needs access. Further access will be granted
in a future commit.

Bug: 35126415
Test: policy compiles and no device boot problems.
Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860
---
 private/file.te        | 3 +++
 private/genfs_contexts | 1 +
 2 files changed, 4 insertions(+)

diff --git a/private/file.te b/private/file.te
index 818a53dc1..da5f9adde 100644
--- a/private/file.te
+++ b/private/file.te
@@ -2,3 +2,6 @@
 typealias audio_data_file alias audio_firmware_file;
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index efdfb422c..0c5067579 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
-- 
GitLab