domain_deprecated: remove proc access

am: c15d54ef Change-Id: I5b47e2ced9dd5aa92727076e4cef0cc4ebaeaf7c

domain_deprecated: remove proc access
am: c15d54ef Change-Id: I5b47e2ced9dd5aa92727076e4cef0cc4ebaeaf7c
ad95219c · Jeff Vander Stoep · android-build-merger · 58c75f3f · c15d54ef · ad95219c
Commit ad95219c authored 7 years ago by Jeff Vander Stoep Committed by android-build-merger 7 years ago
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
 # rules removed from the domain attribute
 # Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -sdcardd
-  -system_server
-  -update_engine
-  -vold
-} proc:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -system_server
-  -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
  domain_deprecated
  -fingerprintd

--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,9 @@ allow platform_app vfat:file create_file_perms;
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,6 +84,9 @@ allow system_app keystore:keystore_key {
 # /sys access
 r_dir_file(system_app, sysfs_type)
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
 control_logd(system_app)
 read_runtime_log_tags(system_app)

--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -37,3 +37,6 @@ allow uncrypt block_device:dir r_dir_perms;
 allow uncrypt userdata_block_device:blk_file w_file_perms;
 r_dir_file(uncrypt, rootfs)
+# uncrypt reads /proc/cmdline
+allow uncrypt proc:file r_file_perms;
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,10 +38,8 @@ allow update_engine_common shell_exec:file rx_file_perms;
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
-# access /proc/misc
+# access /proc/misc and /proc/sys/kernel/random/boot_id
-# Access is also granted to proc:file, but it is likely unneeded
+allow update_engine proc:file r_file_perms;
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
 allow update_engine proc_misc:file r_file_perms;
 # read directories on /system and /vendor