From d0fe17cae499c8fd988ab87d058b4a1ecd715a94 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 29 Mar 2018 13:45:30 -0700
Subject: [PATCH] init: restrict setattr perms to /proc.

Bug: 65643247
Test: device boots without denials from init to proc_*
Change-Id: I44729e791366cdedec27603558b2e929fa414168
---
 public/init.te | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/public/init.te b/public/init.te
index 35a98fe44..bcff07fb5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -227,7 +227,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
 allow init {
   fs_type
   -contextmount_type
-  -proc
+  -proc_type
   -sdcard_type
   -sysfs_type
   -rootfs
@@ -311,6 +311,17 @@ allow init {
   proc_security
 }:file rw_file_perms;
 
+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_kmsg
+  proc_net
+  proc_qtaguid_stat
+  proc_sysrq
+  proc_qtaguid_ctrl
+  proc_vmallocinfo
+}:file setattr;
+
 # init access to /sys files.
 allow init {
   sysfs_android_usb
-- 
GitLab