From bc1986fbff3e4def8d28b78fae02a96bd0899a65 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 27 Jun 2016 15:38:25 -0700
Subject: [PATCH] domain: allow reading /proc/sys/vm/overcommit_memory

Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a
---
 domain.te      | 3 +++
 file.te        | 2 +-
 genfs_contexts | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 4ecca7e06..d02db11f9 100644
--- a/domain.te
+++ b/domain.te
@@ -115,6 +115,9 @@ allow domain proc:lnk_file { getattr read };
 # /proc/cpuinfo
 allow domain proc_cpuinfo:file r_file_perms;
 
+# jemalloc needs to read /proc/sys/vm/overcommit_memory
+allow domain proc_overcommit_memory:file r_file_perms;
+
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:dir search;
 allow domain selinuxfs:file getattr;
diff --git a/file.te b/file.te
index f30911aea..cab2a5e61 100644
--- a/file.te
+++ b/file.te
@@ -6,8 +6,8 @@ type rootfs, fs_type;
 type proc, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type;
-# Type for /proc/sys/vm/drop_caches
 type proc_drop_caches, fs_type;
+type proc_overcommit_memory, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index d823476e7..891c686fb 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -23,6 +23,7 @@ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
 
-- 
GitLab