Explicitly label vold dependecies in /proc

1. Labeled: /proc/cmdline -> proc_cmdline 2. Removed access to proc label from vold domain. 3. Added access proc_cmdline to these domains: init, kernel, vold 4. Also, added proc_drop_caches access to vold. Bug: 66497047 Test: device boots without selinux denials to new labels Change-Id: Ic88d11b7e56b07c0e8bd874e7f72788922a218e3

Explicitly label vold dependecies in /proc
1. Labeled: /proc/cmdline -> proc_cmdline 2. Removed access to proc label from vold domain. 3. Added access proc_cmdline to these domains: init, kernel, vold 4. Also, added proc_drop_caches access to vold. Bug: 66497047 Test: device boots without selinux denials to new labels Change-Id: Ic88d11b7e56b07c0e8bd874e7f72788922a218e3
9bf6a953 · Tri Vo · 01c57421 · 9bf6a953 · 9bf6a953 · 9bf6a953
Commit 9bf6a953 authored 7 years ago by Tri Vo
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,7 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound_cards proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0 (proc proc_asound_cards proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0

--- a/public/file.te
+++ b/public/file.te
@@ -14,6 +14,7 @@ type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_asound_cards, fs_type;
+type proc_cmdline, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_filesystems, fs_type;
 type proc_interrupts, fs_type;

--- a/public/init.te
+++ b/public/init.te
@@ -274,6 +274,9 @@ allow init proc_stat:file r_file_perms;
 # Read /proc/version.
 allow init proc_version:file r_file_perms;

+# Read /proc/cmdline
+allow init proc_cmdline:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;


--- a/public/kernel.te
+++ b/public/kernel.te
@@ -6,6 +6,7 @@ allow kernel self:capability sys_nice;
 # Root fs.
 r_dir_file(kernel, rootfs)
 r_dir_file(kernel, proc)
+allow kernel proc_cmdline:file r_file_perms;

 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;

--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,6 @@ allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;

 # Read access to pseudo filesystems.
-r_dir_file(vold, proc)
 r_dir_file(vold, proc_net)
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
@@ -18,6 +17,8 @@ allow vold sysfs_zram_uevent:file w_file_perms;

 r_dir_file(vold, rootfs)
 allow vold {
+  proc_cmdline
+  proc_drop_caches
  proc_filesystems
  proc_meminfo
  proc_mounts