Allow domain to read proc dirs.

Ability to read all of proc was placed in domain_deprecated with the intention of reducing information leaking from proc. Many processes try to read proc dirs, though. Allow this with the belief that information leakage is from the proc files themselves rather than dir structure. Address the following denial: avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0 Bug: 26833472 Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

Allow domain to read proc dirs.
Ability to read all of proc was placed in domain_deprecated with the intention of reducing information leaking from proc. Many processes try to read proc dirs, though. Allow this with the belief that information leakage is from the proc files themselves rather than dir structure. Address the following denial: avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0 Bug: 26833472 Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
abf31acb · dcashman · 35a14514 · abf31acb
Commit abf31acb authored 9 years ago by dcashman
--- a/domain.te
+++ b/domain.te
@@ -22,7 +22,7 @@ allow domain self:process {
    setrlimit
 };
 allow domain self:fd use;
-allow domain proc:dir search;
+allow domain proc:dir r_dir_perms;
 allow domain proc_net:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;