From d6eaed854d58a8acbfa1a948d6913886b31102a4 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Thu, 14 Jun 2018 07:34:19 -0700
Subject: [PATCH] access to /proc/slabinfo

init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5
---
 private/app_neverallows.te   | 1 +
 private/compat/26.0/26.0.cil | 1 +
 private/compat/27.0/27.0.cil | 2 +-
 private/genfs_contexts       | 1 +
 public/dumpstate.te          | 1 +
 public/file.te               | 1 +
 public/init.te               | 1 +
 public/shell.te              | 1 +
 8 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e71d565c0..cf582789f 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -125,6 +125,7 @@ neverallow all_untrusted_apps {
   proc_loadavg
   proc_mounts
   proc_pagetypeinfo
+  proc_slabinfo
   proc_stat
   proc_swaps
   proc_uptime
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index de83c8169..4699ecf43 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -481,6 +481,7 @@
     proc_pipe_conf
     proc_random
     proc_sched
+    proc_slabinfo
     proc_swaps
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index b19f3d405..e5d50e472 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -456,7 +456,7 @@
 (expandtypeattribute (preopt2cachename_exec_27_0) true)
 (expandtypeattribute (print_service_27_0) true)
 (expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
 (expandtypeattribute (proc_bluetooth_writable_27_0) true)
 (expandtypeattribute (proc_cpuinfo_27_0) true)
 (expandtypeattribute (proc_drop_caches_27_0) true)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 265e646c3..afc671739 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -23,6 +23,7 @@ genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
 genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /swaps u:object_r:proc_swaps:s0
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6c750730..412418ab1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -167,6 +167,7 @@ allow dumpstate {
   proc_pagetypeinfo
   proc_qtaguid_ctrl
   proc_qtaguid_stat
+  proc_slabinfo
   proc_version
   proc_vmallocinfo
   proc_vmstat
diff --git a/public/file.te b/public/file.te
index 8c33bedb9..68ce32170 100644
--- a/public/file.te
+++ b/public/file.te
@@ -45,6 +45,7 @@ type proc_pid_max, fs_type, proc_type;
 type proc_pipe_conf, fs_type, proc_type;
 type proc_random, fs_type, proc_type;
 type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
 type proc_stat, fs_type, proc_type;
 type proc_swaps, fs_type, proc_type;
 type proc_sysrq, fs_type, proc_type;
diff --git a/public/init.te b/public/init.te
index 2519311db..e37f1ce5e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,6 +320,7 @@ allow init {
   proc_kmsg
   proc_net
   proc_qtaguid_stat
+  proc_slabinfo
   proc_sysrq
   proc_qtaguid_ctrl
   proc_vmallocinfo
diff --git a/public/shell.te b/public/shell.te
index 8e6ae4cdd..6755f69e5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -128,6 +128,7 @@ allow shell {
   proc_modules
   proc_pid_max
   proc_qtaguid_stat
+  proc_slabinfo
   proc_stat
   proc_timer
   proc_uptime
-- 
GitLab