From 9bf6a953ee065b4c7fcc0ddad7756b3e552278cf Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 21 Sep 2017 13:18:00 -0700
Subject: [PATCH] Explicitly label vold dependecies in /proc
1. Labeled:
/proc/cmdline -> proc_cmdline
2. Removed access to proc label from vold domain.
3. Added access proc_cmdline to these domains:
init, kernel, vold
4. Also, added proc_drop_caches access to vold.
Bug: 66497047
Test: device boots without selinux denials to new labels
Change-Id: Ic88d11b7e56b07c0e8bd874e7f72788922a218e3
---
private/compat/26.0/26.0.cil | 2 +-
private/genfs_contexts | 1 +
public/file.te | 1 +
public/init.te | 3 +++
public/kernel.te | 1 +
public/vold.te | 3 ++-
6 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ad2d8443..5a6ad3a54 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,7 @@
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound_cards proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0 (proc proc_asound_cards proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index cfe7b92c8..b5827c803 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/public/file.te b/public/file.te
index 62cad466b..840fd2eeb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -14,6 +14,7 @@ type sysfs_usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_asound_cards, fs_type;
+type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_filesystems, fs_type;
type proc_interrupts, fs_type;
diff --git a/public/init.te b/public/init.te
index 51b07e27a..46e4ee6ce 100644
--- a/public/init.te
+++ b/public/init.te
@@ -274,6 +274,9 @@ allow init proc_stat:file r_file_perms;
# Read /proc/version.
allow init proc_version:file r_file_perms;
+# Read /proc/cmdline
+allow init proc_cmdline:file r_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
diff --git a/public/kernel.te b/public/kernel.te
index 7f5d22443..64111b0fa 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -6,6 +6,7 @@ allow kernel self:capability sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
r_dir_file(kernel, proc)
+allow kernel proc_cmdline:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index e86caac3f..a8537154a 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,6 @@ allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
@@ -18,6 +17,8 @@ allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
allow vold {
+ proc_cmdline
+ proc_drop_caches
proc_filesystems
proc_meminfo
proc_mounts
--
GitLab